Stuxnet admission likely to have foreign policy consequences

Iran watchers remain concerned that a domestic political gambit may backfire.

Enlarge/ Obama officials are taking a significant political gamble by admitting to creating Stuxnet.

Given the unofficial confirmation Friday that the United States was behind Stuxnet—the malware designed to sabotage the Iranian nuclear program—political and technical experts suggest that this may effectively put the United States in a more dangerous foreign policy position.

"This is the end of plausible deniability on Stuxnet," said Chris Bronk, a former State Department official, who is now a research fellow at Rice University. "Cyber is a dangerous place to play. This makes me very nervous that we don’t understand the entire set of consequences of releasing malware into the wild."

In other words, he told Ars, it sets a potentially dangerous precedent for other countries looking to develop or expand their own clandestine operations.

"Countries realize that cyber espionage is a heck of a lot easier than anything else," he said. "Now the question is: to what degree [will we have] malware that is designed to impact the physical world? When is that going to become a more widely utilized capability?"

US has "most to lose"

Mikko Hypponen, the chief researcher at F-Secure, a Helsinki-based security research group, added that the United States "has the most to lose out of attacks like these," because countries with advanced capabilities, including Russia, China, and possibly even Iran itself, will certainly be interested in developing similar cyber weapons.

"[The United States has] shown that they work, that they’re cheap, and they are deniable," he told Ars on Friday, pointing out that one of Stuxnet’s main advantages was that even years after its deployment, it still had plausible deniability by American officials.

At least one world leader said Friday he was not willing to use similar tactics. President Toomas Hendrik Ilves of Estonia—whose country was hit by a significant cyber attack in 2007 and consequently now hosts the NATO Cooperative Cyber Defence Centre of Excellence—responded on Twitter with a curt "no" that Estonia does not condone this type of behavior, nor would it consider using tactics like this against other nations.

Hypponen and others speculated that this week’s leak was a calculated political move by Obama Administration officials to give information to the press regarding the Stuxnet program as a way to shore up political support and to project the president as taking on one of the US’s main adversaries.

"Obama has the benefit of showing how strong he is against Iran by using clever, creative new methods," Hypponen noted.

But, he cautioned, "They’re apparently willing to take the damage on foreign policy."

Undercutting "Internet Freedom"

Indeed, things could not be more contentious with Iran right now than they already are—both countries, along with other major world powers are set to meet in Moscow later this month for the third round of the "P5+1" negotiations on Iran’s nuclear program.

"[This revelation won’t] help the atmosphere," said Nader Entessar, a professor of political science and Iran expert at the University of South Alabama. "These are contentious negotiations to begin with. What is missing in this whole process is confidence-building measures. These things do not add to the positive side of the ledger."

Another problem with admitting to being behind Stuxnet is that experts say it may damage the oft-touted "21st Century Statecraft" and "Internet Freedom" agenda that the United States Department of State has been promoting in recent years.

"I think this undercuts the Internet Freedom agenda in a big way," Bronk, the former State Department official, added. "[It shows that the US] is willing to use the digital agora as a weapon whenever we need to. I think that’s playing both sides of the fence."

Finally, some even wondered if the Stuxnet situation will be used as an excuse to keep a closer eye on Iran’s domestic Internet use.

"[Iran is] going to use this as a justification for further clampdowns, that ‘we’re not trying to deny average citizens access, but all we’re trying to do is [ensure that the] Internet is not used as a means of warfare against Iran,’" Entessar told Ars. "It [becomes] a national security issue, as opposed to freedom of information issue."

95 Reader Comments

The leakers should be hanged from the neck until dead. Do security clearances mean nothing to these people any more? Everyone and their brother is rushing to spill details about the Bin Laden raid, and now they're risking massive retribution for bragging rights/political points (I'm not convinced political operatives leaked the info to help re-election, but if they did, I would vote for death by exposure instead of hanging).

Given the unofficial confirmation Friday that the United States was behind Stuxnet—the malware designed to sabotage the Iranian nuclear program—political and technical experts suggest that this may effectively put the United States in a more dangerous foreign policy position.

pffft. Any state actor with the capabilities has known for the last decade or more that "cyberspace" would be the battlefield of choice for the 21st century. The US is in no more dangerous position after this "revelation" than it was before it, because it was already the primary target of the majority of the world's state-sponsored cyber attacks. If anything, it puts the US in a better position because now those hostile actors know that the US knows how to play the game, and play it with a skill and subtlety that perhaps they hadn't anticipated, rather than being content to sit there and be a fat juicy target.

The leakers should be hanged from the neck until dead. Do security clearances mean nothing to these people any more? Everyone and their brother is rushing to spill details about the Bin Laden raid, and now they're risking massive retribution for bragging rights/political points (I'm not convinced political operatives leaked the info to help re-election, but if they did, I would vote for death by exposure instead of hanging).

These sorts of leaks are almost certainly orchestrated and done on purpose. Do you mean they should be hanged anyway? Maybe you do, but you should know that this sort of propaganda is constant and unrelenting under every administration.

Everyone already knew that that either the US or Israel, or both countries in a joint effort, were behind stuxnet. It was an open secret. This leak really changes nothing, except of course to further my belief that our government doesn't value our democratic ideals.

The interesting thing about this article regarding "the internet" is that Stuxnet actually had very little to do with the internet or internet security. It was a highly targeted payload intended for deployment inside an air-gapped secure network, and was probably never intended to spread beyond it. Indeed, it was expressly designed to disable itself if it found itself on anything but the targeted systems. It was about as discreet and courteous a bit of hostile code as you'll ever see.

The interesting thing about this article regarding "the internet" is that Stuxnet actually had very little to do with the internet or internet security. It was a highly targeted payload intended for deployment inside an air-gapped secure network, and was probably never intended to spread beyond it. Indeed, it was expressly designed to disable itself if it found itself on anything but the targeted systems. It was about as discreet and courteous a bit of hostile code as you'll ever see.

The interesting thing about this article regarding "the internet" is that Stuxnet actually had very little to do with the internet or internet security. It was a highly targeted payload intended for deployment inside an air-gapped secure network, and was probably never intended to spread beyond it. Indeed, it was expressly designed to disable itself if it found itself on anything but the targeted systems. It was about as discreet and courteous a bit of hostile code as you'll ever see.

Until the Israelis got their hands on it.

We don't know if they're why it got out or not, but even so, what I said was true. Unless you're an outdated and unpatched Siemens uranium centrifuge controller directly connected to the internet, you have absolutely nothing to worry about from Stuxnet. This has been known from since Stuxnet first appeared.

Given the unofficial confirmation Friday that the United States was behind Stuxnet—the malware designed to sabotage the Iranian nuclear program—political and technical experts suggest that this may effectively put the United States in a more dangerous foreign policy position.

pffft. Any state actor with the capabilities has known for the last decade or more that "cyberspace" would be the battlefield of choice for the 21st century. The US is in no more dangerous position after this "revelation" than it was before it, because it was already the primary target of the majority of the world's state-sponsored cyber attacks. If anything, it puts the US in a better position because now those hostile actors know that the US knows how to play the game, and play it with a skill and subtlety that perhaps they hadn't anticipated, rather than being content to sit there and be a fat juicy target.

Seriously. I don't get the drama on this from Ars Technica at all, it's like both the article authors and most of the commentators think international relations is the same thing as their elementary school playgrounds. There's no "hypocrisy" or inherent "fairness" going on, there is no teacher to go running to, there's no World Police, etc etc. It's a bunch of independent sovereigns jostling about driven by a mixture of national interest and domestic politics within the restrictions of what power they are able to bring to bear.

It's like I'm reading a whole set of stories and comments by software patent writers: "OMG, put 'cyber' in front of anything or 'on the internet' after anything and it's TOTALLY NOVEL!" So they did a non-physical highly targetted covert operation designed to disrupt a military program of a hostile nation. Wow, no one has ever, ever done that before. This wasn't even particularly unique in using technological sabotage either. I was really disappointed that Ars didn't draw obvious parallels with old hat stuff like the CIA's Siberian Pipeline Sabotage back in 1982. And that SCADA sabotage didn't cause some bits of equipment to break, the TSP explosion was huge. In 1996 docs were declassified that flat out stated America had a long standing purposeful history of feeding defective technology to the Soviets.

Really, the talking heads you've gathered to sound all serious and grim about this are completely hilarious as much as anything. "Undermines the Internet Freedom agenda", what a joke.

it was expressly designed to disable itself if it found itself on anything but the targeted systems.

No it wasn't .. it spread as far and as fast as it could, like any worm. I contract for a provincial government in Canada and it infected hundreds, if not thousands of our computers.

Yeah, but it does it actually do on those computers? Nothing, right?

Executed arbitrary code. Caused network congestion. Embeded itself in all exes on public shares. Ran DOS attacks. Crashed all kinds of services that used RPC. Basically shut down the entire ministry for a day while help desk ran virus scans (after the definitions were updated).

Of course we're willing to use computer programs as weapons. This should come as a surprise to no one, including Iran. All things considered, I prefer non-lethal weapons like viruses to a preemptive strike by Israel, which we would have to support.

Stuxnet got out of control, but it was harmless to any computers that weren't using a specific set of Seimens software. Extra work for IT departments is preferable to thousands of human deaths caused by a conventional attack.

it was expressly designed to disable itself if it found itself on anything but the targeted systems.

No it wasn't .. it spread as far and as fast as it could, like any worm. I contract for a provincial government in Canada and it infected hundreds, if not thousands of our computers.

And what were the symptoms of the infection?

I outlined our symptoms above. There were a lot of worried people that saw that PLCs used by pipeline companies could be effected when the worm was initially released.

But all of that is irrelevant, worms do damage just to spread themselves. Some of the most famous worms in history have had no payload, but still caused insane amounts of damage. http://en.wikipedia.org/wiki/Computer_worm

Of course we're willing to use computer programs as weapons. This should come as a surprise to no one, including Iran. All things considered, I prefer non-lethal weapons like viruses to a preemptive strike by Israel, which we would have to support.

Stuxnet got out of control, but it was harmless to any computers that weren't using a specific set of Seimens software. Extra work for IT departments is preferable to thousands of human deaths caused by a conventional attack.

I don't see how this is related to internet freedom at all.

I agree. I'm glad to know that the US government is actively pursuing offensive cyber warfare programs. I expect the knowledge gained from these programs can have positive effect on our defensive efforts, as well.

Also, the nice thing about conducting affairs through espionage is that they rarely lead to actual shooting wars.

it was expressly designed to disable itself if it found itself on anything but the targeted systems.

No it wasn't .. it spread as far and as fast as it could, like any worm. I contract for a provincial government in Canada and it infected hundreds, if not thousands of our computers.

Yeah, but it does it actually do on those computers? Nothing, right?

Executed arbitrary code. Caused network congestion. Embeded itself in all exes on public shares. Ran DOS attacks. Crashed all kinds of services that used RPC. Basically shut down the entire ministry for a day while help desk ran virus scans (after the definitions were updated).

That doesn't sound like the Stuxnet that's been specifically discussed in the context of the Natanz attack.

From Wikipedia (and sourced from a Vanity Fair article)

Quote:

While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012

it was expressly designed to disable itself if it found itself on anything but the targeted systems.

No it wasn't .. it spread as far and as fast as it could, like any worm. I contract for a provincial government in Canada and it infected hundreds, if not thousands of our computers.

And what were the symptoms of the infection?

I outlined our symptoms above. There were a lot of worried people that saw that PLCs used by pipeline companies could be effected when the worm was initially released.

But all of that is irrelevant, worms do damage just to spread themselves. Some of the most famous worms in history have had no payload, but still caused insane amounts of damage. http://en.wikipedia.org/wiki/Computer_worm

Beg your pardon, I think you were posting that the same I asked.

Very interesting. This is one of the first cases I've heard about where Stuxnet actually did something to the infected machine. You don't work with Siemens machines, do you? LOL

love that picture, i think the first real picture of the man (as president) where he wasn't smiling for the sake of smiling. Has that look of "JFC if you people even knew a shred of the 'top secret' things I deal with on a daily basis."

Limiting the virus to spread to only 3 machines at a time could have just been a ploy to avoid IDS/IPS (intrusion detection systems). You still get exponential growth so assuming it takes 1 minute to infect 1 computer in 1 hour it would infect 4.2*10^28 machines.

Also this was _not_ my experience with the worm, maybe this is referring to the RPC exploit?

What we observed is that one machine would try to spread to as many machines as possible via writable fileshares using its .lnk exploit. Our print servers also got hit with a completely separate exploit from the same virus. It also spread via a USB key exploit.

The disable itself in 2012 didn't really help us at the time. Looking in my emails it was September 2010 we got hit.

We noticed it when .lnk files started spreading on a server that is in a highly secure zone that connects with our private CDN (the network I develop software for). It wasn't able to spread within the CDN, but if it would have been able to it would have meant 1000 nodes spreading the virus or running DOS attacks each with an upload rate of 1gigbit - 20mbits.

love that picture, i think the first real picture of the man (as president) where he wasn't smiling for the sake of smiling. Has that look of "JFC if you people even knew a shred of the 'top secret' things I deal with on a daily basis."

Would be interesting to be privy to the nightmares he experiences. He still has a look of someone who is in over his head, trying to convey confidence in an arena where he's out of his element. Compare both his demeanor and Bush's often baffled looks against someone like Bill Clinton who had already years of experience as governor and dealt deftly with the issues and relationships before him. Obama comes off as smart and eloquent but with a confidence that is a bit of a put on.

Let's look at the bigger picture: Iran is now a couple of years further away from the bomb than it would have been without Stuxnet. And all those extra security precautions are probably slowing them down further. That's about as effective as bombing the reactors would have been.

Also Cyrus, responding 'no' to two questions is not the same thing as explicitly saying no to each one of them. It is not correct to quote him that way.

Nor is it particularly newsworthy that a government without the resources to carry out such an attack, says that they wouldn't do it against an adversary far more capable than themselves.

Admission? Last time I heard all the confirmation we had was one journalist's "anonymous sources". When did they actually admit to cooking up Stuxnet?

This. What am I missing here? The entire world was pretty sure the US was involved in some way, shape, or form, but this article makes it sound like Obama held a press conference to brag about it. Unnamed, anonymous sources, while often accurate, do not, in my book, constitute an admission of anything.

Good grief. If the CIA admitted the sky was blue I guess Ars would apparently publish an "OMG the sky is falling, the sky is falling!!" poorly thought out, overly sensationalized article about it. This chicken little style "reporting" is just plain embarrassing. As others have mentioned, everyone in Intelligence circles already knew where it came from. And anyone on here bringing up "freedom" is beyond naive. Cyber warfare is already happening -- there is no way for the US to avoid it. And that's ignoring how prevalent organized crime has become on the Internet. Look at the Internet 15 years ago compared to today and it's practically night and day.

"Countries realize that cyber espionage is a heck of a lot easier than anything else," he said. "Now the question is: to what degree [will we have] malware that is designed to impact the physical world? When is that going to become a more widely utilized capability?"

Any government that hadn't realized that already was full of morons and techno-illiterates. And there's plenty of evidence cyberattacks (primarily but not exclusively espionage) were on-going.

I do think there are costs of admitting to it. I don't understand the motive there, aside from the US political the only things I can think of are taking the heat off Israel (not that it will improve Iran's opinion of them at all) and people who just can't help talking about themselves. But those issues aside, I think the idea that this will make governments more serious consider cyberattacks is just ridiculous.

Given the unofficial confirmation Friday that the United States was behind Stuxnet—the malware designed to sabotage the Iranian nuclear program—political and technical experts suggest that this may effectively put the United States in a more dangerous foreign policy position.

pffft. Any state actor with the capabilities has known for the last decade or more that "cyberspace" would be the battlefield of choice for the 21st century. The US is in no more dangerous position after this "revelation" than it was before it, because it was already the primary target of the majority of the world's state-sponsored cyber attacks. If anything, it puts the US in a better position because now those hostile actors know that the US knows how to play the game, and play it with a skill and subtlety that perhaps they hadn't anticipated, rather than being content to sit there and be a fat juicy target.

Anyone with half a brain knew that the US was probably involved in torturing people, but the revelation it actually happens, with photos and gory details, still matters in the political world. The biggest problem from this won't be that Iran knows that it was Israel and the US, but that the Iranian public knows it and they're going to try look powerful over it. Any thoughts of reconciliation are now put on hold for at least 6 months, because to do anything would look like stepping down. If Iran wasn't entirely sure (it could have been an inside action) it pisses them off all over again and they'll probably think they have to retaliate in this tit for tat garbage.

Politicians are like the rest of us, they don't make wise, broad minded decisions, they're reactionary. This make Iran look weak, they'll want to look strong. It makes the Chinese have firepower for the first time they actually get caught doing it and will make them more brazen. The US can't really condemn anyone without looking hypocritical (which they've oft gotten away with).

I chuckle every time I think about people that truly believe the man in that picture is/was anything more than a typical lying politician. He's the same lying asshole with different skin color. Not related directly to the article, but it's absolutely hilarious that people believed Barack Obama was going to save the US Government and be any different than the asshole that preceded him.

Not even close to the truth. They are lying, backstabbing assholes out for as much power and money as they can sign away their sworn office for. That goes from Barack Obama all the way to the smallest and greenest Rep. They aren't like me at all, I actually have morals and a sense of right and wrong. Every decision they make is to maximize the amount of money they get paid and how much power they can get and keep. They start wars to keep money and power and do so while flaunting every law that says they can't. Politicians aren't normal people and haven't been for at least 150 years in the United States. You have to have a shitload of money and influence before you can even begin to mount an effort to win political office and, with very rare exception, you must sell yourself out and make illegal and immoral deals to keep the seat you won. That goes for both parties and every skin color and gender of politician. They may be like you, but they sure as hell aren't anything like me.

And I'd chuckle every time one of you little clouds of cynical smug flaunted your "everything is the same, there's no differences between any choices, all countries are the same" bullshit, except that it's really not very funny. You get exactly the government you want and deserve, which would be OK if the rest of us didn't have to live with it too, so I guess there is no choice but to soldier on and let you free riders profit regardless.

Quote:

Not even close to the truth. They are lying, backstabbing assholes out for as much power and money as they can sign away their sworn office for. That goes from Barack Obama all the way to the smallest and greenest Rep.

Quote:

They aren't like me at all, I actually have morals and a sense of right and wrong.

I give credit for the current administration for not dropping bombs... that's about all I agree with. Others (you know who) have been advocating bombs and guns... so while I strongly disapprove of this, I admit it's better than a 3rd war.

Of course we're willing to use computer programs as weapons. This should come as a surprise to no one, including Iran. All things considered, I prefer non-lethal weapons like viruses to a preemptive strike by Israel, which we would have to support.

Stuxnet got out of control, but it was harmless to any computers that weren't using a specific set of Seimens software. Extra work for IT departments is preferable to thousands of human deaths caused by a conventional attack.

I don't see how this is related to internet freedom at all.

Stuxnet was harmless but viruses can be made that target infrastructure that could cause some physical harm. Just some examples I can think of*Virus made that launches a country's missiles at itself, or ally, or different enemy*Virus that causes blackouts or disrupts water systems.